“Traditional IT firewalls either allow a certain protocol or block it. Fine-grained control of the protocol is impossible.”
"This is an issue because the SCADA ICS protocols themselves have no granularity. From the perspective of the port number, a data read message looks EXACTLY like a firmware update message."
If you allow data read messages, from an HMI to a PLC, to pass through a traditional firewall, you are also allowing programming messages to pass through."
"A Deep Packet Inspection firewall inspects the content contained in messages and applies more detailed rules. It is designed to understand the specific SCADA protocols and then apply filters on fields and values that matter to control systems."